Knogin
[API-Domeinen]

Threat Intelligence Domain

The Threat Intelligence domain provides indicator of compromise (IOC) enrichment, correlation analysis, and threat feed management. It enables investigators to enrich IOCs with intelligence from multiple sources, identif

Modulemetadata

The Threat Intelligence domain provides indicator of compromise (IOC) enrichment, correlation analysis, and threat feed management. It enables investigators to enrich IOCs with intelligence from multiple sources, identif

Terug naar Lijst

Bronverwijzing

content/modules/domain-threat-intel.md

Laatst bijgewerkt

5 feb 2026

Categorie

API-Domeinen

Inhoudschecksum

0a048b2ed3cd438b

Tags

api-domains

Gerenderde documentatie

Deze pagina rendert de Markdown en Mermaid van de module direct vanuit de publieke documentatiebron.

Overview#

The Threat Intelligence domain provides indicator of compromise (IOC) enrichment, correlation analysis, and threat feed management. It enables investigators to enrich IOCs with intelligence from multiple sources, identify relationships between indicators, assess threat severity, and monitor the health of threat intelligence feeds.

Key Features#

  • IOC Enrichment - Enrich indicators of compromise (IP addresses, domains, file hashes, URLs, email addresses) with intelligence from multiple threat data sources for comprehensive context.

  • Multi-Source Aggregation - Query multiple threat intelligence sources simultaneously and aggregate results into a unified view with confidence scoring and source attribution.

  • Correlation Analysis - Identify relationships between indicators to uncover connections between seemingly unrelated threats and build a broader picture of adversary infrastructure.

  • Batch Processing - Enrich multiple indicators in a single operation for efficient processing of large indicator sets during investigations.

  • Threat Feed Monitoring - Track the health and freshness of connected threat intelligence feeds to ensure enrichment data is current and reliable.

  • IOC Type Support - Analyze a wide range of indicator types including IP addresses, domain names, file hashes, URLs, and email addresses with type-specific enrichment.

  • Caching and Performance - Intelligent caching of enrichment results reduces query latency and external API usage while ensuring timely updates.

Use Cases#

  • Incident Investigation - Enrich indicators discovered during incident response to understand their threat context, associated campaigns, and known adversary infrastructure.

  • Threat Assessment - Evaluate the severity and credibility of detected threats by correlating indicators against multiple intelligence sources.

  • Proactive Threat Hunting - Search for relationships between indicators to proactively identify threats and adversary infrastructure before they are used in attacks.

  • Intelligence Production - Aggregate and correlate threat data from multiple sources to produce finished intelligence products for stakeholder consumption.

Integration#

The Threat Intelligence domain enriches security operations across the platform:

  • Investigation Management - IOC enrichment results link to active investigations
  • Alert System - High-severity threat indicators trigger automated alerts
  • Threat Actor Profiles - Indicators associate with known threat actor profiles
  • SIEM Connector - Security events correlate with threat intelligence data

Last Reviewed: 2026-02-05